In-Reply-To: <rt-4.4.1-64417-1498765173-1348.45482-3-0@isc.org>
Content-Disposition: inline
content-type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
References: <RT-Ticket-45482@isc.org> <E42BF11A-864A-4D35-A9A2-EDAE564779E7@cornell.edu> <rt-4.4.1-64417-1498765173-1348.45482-3-0@isc.org>
MIME-Version: 1.0
Message-ID: <20170629200611.GA30247@jurassic>
Return-Path: <muks@isc.org>
From: "Mukund Sivaraman" <muks@isc.org>
X-Spam-Status: No, score=1.4 required=5.0 tests=BAYES_00,RCVD_IN_SBL_CSS autolearn=no autolearn_force=no version=3.4.0
Subject: Re: [ISC-Bugs #45482] BIND bug report
User-Agent: Mutt/1.8.0 (2017-02-23)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx.pao1.isc.org", Issuer "COMODO RSA Organization Validation Secure Server CA" (not verified)) by bugs.isc.org (Postfix) with ESMTPS id 26098D78A9D for <bind9-confidential@bugs.isc.org>; Thu, 29 Jun 2017 20:06:20 +0000 (UTC)
Received: from mail.banu.com (mail.banu.com [IPv6:2a01:4f8:140:644b::225]) by mx.pao1.isc.org (Postfix) with ESMTP id 0D2973493A2 for <bind9-confidential@isc.org>; Thu, 29 Jun 2017 20:06:18 +0000 (UTC)
Received: from jurassic (unknown [115.118.144.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id 55BEB56A003B; Thu, 29 Jun 2017 20:06:15 +0000 (GMT)
From muks@isc.org  Thu Jun 29 20:06:20 2017
X-RT-Interface: Email
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org
X-Spam-Level: *
X-RT-Incoming-Encryption: Not encrypted
X-RT-Original-Encoding: utf-8
To: "Jim Yang via RT" <bind9-confidential@isc.org>
Date: Fri, 30 Jun 2017 01:36:11 +0530
X-Original-To: bind9-confidential@bugs.isc.org
Delivered-To: bind9-confidential@bugs.isc.org
RT-Message-ID: <rt-4.4.1-66782-1498766781-813.45482-0-0@isc.org>
Content-Length: 1300

Hi Jim

On Thu, Jun 29, 2017 at 07:39:34PM +0000, Jim Yang via RT wrote:
> As per Mukund Sivaraman’s suggestion, I am reporting a bug in BIND. This name “sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.chinaboca.com” was successfully loaded into a RPZ zone. 
> The label “uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp” is 64 bytes long (> label limit 63 bytes RFC 1035)
> 
> The sample RPZ zone is listed below.
> 
> $ORIGIN rpz.example.com.
>       $TTL 1H
>       @               SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h)
>                       NS  LOCALHOST.
>  
>       ; QNAME policy records.
>       ; Note: There are no periods (.) after the (relativised) owner names.
>  
> sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.chinaboca.com      A       10.0.0.1      ; redirect to walled garden
>                           AAAA    2001:2::1

From the zone above:

[muks@jurassic bind9]$ echo -n "uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp" | wc -c
63
[muks@jurassic bind9]$ 

That label is not 64 octets long, it is 63 octets long.

I have verified by adding an extra octet to this long label that it is
then rejected by named-checkzone.

		Mukund